Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751829AbdHBVsp (ORCPT ); Wed, 2 Aug 2017 17:48:45 -0400 Received: from mail-io0-f174.google.com ([209.85.223.174]:33846 "EHLO mail-io0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750725AbdHBVsn (ORCPT ); Wed, 2 Aug 2017 17:48:43 -0400 Date: Wed, 2 Aug 2017 15:48:41 -0600 From: Tycho Andersen To: Mehmet Kayaalp Cc: ima-devel , containers , linux-kernel , linux-security-module , "Serge E . Hallyn" , Yuqiong Sun , David Safford , Mehmet Kayaalp , Stefan Berger Subject: Re: [RFC PATCH 3/5] ima: mamespace audit status flags Message-ID: <20170802214841.hw4pzjenxw47rcyp@docker> References: <20170720225033.21298-1-mkayaalp@linux.vnet.ibm.com> <20170720225033.21298-4-mkayaalp@linux.vnet.ibm.com> <20170801171702.f2szj5huzbt7fdfl@docker> <2848EE0A-2DB8-420B-A611-60967EB90F5C@linux.vnet.ibm.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <2848EE0A-2DB8-420B-A611-60967EB90F5C@linux.vnet.ibm.com> User-Agent: NeoMutt/20170113 (1.7.2) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 933 Lines: 31 On Tue, Aug 01, 2017 at 01:25:31PM -0400, Mehmet Kayaalp wrote: > >> +unsigned long iint_flags(struct integrity_iint_cache *iint, > >> + struct ns_status *status) > >> +{ > >> + if (!status) > >> + return iint->flags; > >> + > >> + return iint->flags & (status->flags & IMA_NS_STATUS_FLAGS); > > > > Just to confirm, is there any situation where: > > > > iint->flags & IMA_NS_STATUS_FLAGS != status->flags & IMA_NS_STATUS_FLAGS > > > > ? i.e. can this line just be: > > > > return status->flags & IMA_NS_STATUS_FLAGS; > > > > As Guilherme had pointed out, the first & should be |. Sorry, that mail got filtered somehow, thanks. Per your discussion, I guess the most defensive way is: iint->flags & ~IMA_NS_STATUS_FLAGS | status->flags & IMA_NS_STATUS_FLAGS in case something comes along and sets IMA_AUDITED on the root iint, we don't want it to propagate to this ns' status unnecessarily. Anyway, thanks! Tycho